# Chapter 4. Basic arithmetic and applications to cryptography

This chapter consists only of exercises, some of them related to the course *Introduction à la cryptographie* by Abderrahmane Nitaj.  
In Chapter 3, we discovered basic Sage functions for arithmetic and you can come back to this chapter if necessary.

$\newcommand{\Z}{\mathbb{Z}}$
$\newcommand{\N}{\mathbb{N}}$


## 4.1 Exercise - The Prime Number Theorem



The prime-counting function is defined by $\pi(x) = \# \{ p \in \mathbb{N} \mid p \leq x,\, p \text{ is a prime number} \}$. In Sage this function is called `prime_pi`.

The *Prime Number Theorem* (1896) [PNT] describes the asymptotic distribution of the prime numbers among the positive integers. It states that:
$$ \lim_{x \to +\infty} \frac{\pi(x)}{x/\log(x)} = 1$$
where $\log$ denotes the natural logarithm function.

1\. Plot together the functions $\pi(x)$ and $x/\log(x)$.

The difference between both functions seems to increase as $x\to +\infty$. Is there a contradiction with the PNT?

2\. Print a table of values of $\pi(x)$, $\dfrac{x}{\log(x)}$, $\left|\pi(x) - \dfrac{x}{\log x}\right|$ and $\left|  \dfrac{\pi(x)-x/\log(x)}{\pi(x)}\right|$ for $x \in \{10000,20000,\cdots,100000\}$.

3\. According to the PNT, we have as $x\to +\infty$: $$\dfrac{\pi(x)}{x} \sim \dfrac{1}{\log x}.$$
    a) Let $k$ be a large number. If we pick a random integer in the interval $[1,10^k]$, what is the approximate probability that it is a prime number?

 b) We pick random integers with $k$ digits and stop as soon as we get a prime number. How many integers will we have to pick in average?

c) Check experimentally this result for $k=100$. Hint: look at the `ZZ.random_element()` function. Other hint: use the `is_pseudoprime` (instead of `is_prime`) method to have a quicker (pseudo)primality test.

d) Using this idea, construct in Sage a random prime generator of fixed number of digits. Use it to find a prime number with $700$ digits.

## 4.2 Exercise - The RSA cryptosystem

We first recall how the RSA cryptosystem works.

**Step 1.** Alice picks two large distinct prime numbers $p$ and $q$, and lets $n=pq$.
It is then easy for Alice to compute $\varphi(n) = \varphi(p)\varphi(q)=(p-1)(q-1)$.

**Step 2.** Alice chooses a random integer $e$ such that $1<e<\varphi(n)$ and $\gcd(e,\varphi(n))=1$.

**Step 3.** Alice finds a solution $x=d$ to the equation $ex\equiv 1 \bmod \varphi(n)$.
Alice's public key is now $(n,e)$ and her private key is $(p,q,d)$.

**Step 4.** Let $m<n$ be an integer representing Bob's message for Alice. Using the public key, Bob computes $c = m^e \bmod n$ and sends $c$ to Alice.

**Step 5.** Using her private key, Alice computes $c^d \bmod n$. She recovers Bob's message since $c^d \equiv m \bmod n$.

1\. Recall why there exist integers $d$ and $e$ as in Steps 2 and 3.

2\. Prove the assertion $c^d \equiv m \bmod n$ in Step 5.

3\. Implement the RSA system by writing three functions:
* The `rsakey` function, which takes an integer `bits` as input and outputs a private key `p,q,d` and a public key `n,e`. Prime numbers `p` and `q` should have `bits` number of bits.
* The `encrypt` function, which takes `(m,n,e)` as input (`m` is the message, and `n,e` the public key) and outputs the message encrypted by Bob.
* The `decrypt` function, which takes `(c,p,q,d)` as input (`c` is the encrypted message, `p,q,d` is the private key) and outputs the decrypted message.

Hint: use the functions called `next_prime` and `ZZ.random_element`.

Try to use this RSA system on an example for a $500$-bit key (typical RSA keys require at least $2048$ bits).

## 4.3 Exercise -  Primitive roots modulo $p$

Let $p$ be a prime number. The multiplicative group $(\Z/p\Z)^*$ is always cyclic. This result is used in cryptosystems based on the discrete logarithm problem in the group $(\Z/p\Z)^*$, such as the Diffie-Hellman key exchange. Since $(\Z/p\Z)^*$ is cyclic, it is generated by a single element. Such elements are called *primitive roots modulo $p$*.

Given $p$, we would like to compute a primitive root modulo $p$. However the proof of the cyclicity of $(\Z/p\Z)^*$ is not constructive: it does not provide an explicit form of a primitive root. 

In Sage, the `primitive_root` function already computes a primitive root. We are interested in building such a function ourselves.

1\. To begin with, compute a primitive root modulo $54361$ using the `primitive_root` function.

2\. We now see an example where the modulus is not prime. Using the `multiplicative_order` method in Sage, prove that the group $(\Z/256\Z)^*$ is not cyclic.

3\. Again let $p$ be a prime number. Write a (naive) Sage program which computes a primitive root modulo $p$ by computing the order of the classes $1,2,\ldots \bmod p$ until having a generator of $(\Z/p\Z)^*$.

Try it with $p=101$, $p=11113$, and any other values of $p$ of your choice.

4\. Our experiment suggests that this program for computing a primitive root is reasonably fast. We would like to understand why.

How many generators does the group $(\Z/p\Z)^*$ have? What is the probability that a random element in $(\Z/p\Z)^*$ is a primitive root?

5\. We would like to approximate the quantity $\dfrac{\varphi(p-1)}{p-1}$.

a) Plot its values for all primes in $[0,10000]$ (hint: look at the `prime_range` function).

b) Suppose that $p=1+2q$ where $q$ is a prime number. What is the value of  $\dfrac{\varphi(p-1)}{p-1}$?

c) On the contrary, suppose that $p-1$ as many small prime factors. Can you predict the size of $\dfrac{\varphi(p-1)}{p-1}$?

d) In general for any integer $n\geq 5$, we have $\dfrac{\varphi(n)}{n} \geq \dfrac{1}{6 \log \log n}$. Check that this is compatible with your previous experiments or observations.

<!-- reference for this lower bound: Buchmann's book "Introduction to cryptography" p.66 -->

6\. In our naive algorithm for the primitive root, we used the `multiplicative_order` method of Sage in an crucial way. We would like to implement such a function ourselves.

In general, there is no efficient way of computing the order of an element $g$ in an arbitrary group $G$. We may compute $g,g^2,g^3,\ldots$ until we get $1$ but this is very inefficient. Another better approach is to use the fact that the order of $g$ divides the order $n$ of the group. If we know the factorization of $n$, we get a smaller set of possible values for the order of $g$ and we can try each of them (however in general, we do not have fast algorithms for factoring large integers; many cryptographic protocols are even based on the difficulty of factoring large integers). This is essentially the following statement.

**Lemma**. Let $G$ be a group, $g\in G$, and $d\in\N$. If $g^d=1$ and $g^\frac{d}{q}\neq 1$ for any prime divisor $q$ of $d$ then the order of $g$ is $d$.

Prove this lemma.

7\. Write in Sage a function which, given a prime number $p$ as input, computes a primitive root modulo $p$ as follows: pick a random element of $(\Z/p\Z)^*$ and compute its order using the lemma, until you get a primitive root. Hint: the `prime_factors` method gives the list of prime divisors of an integer.

## 4.4 Exercise -  The discrete logarithm problem and Pohlig–Hellman method

<!-- References: Galbraith Mathematics of cryptography (p. 247); Shoup Computational intro... chap. 11 -->

Let $G$ be a cyclic group of order $N$ and $g$ be a generator of $G$. Let $h\in G$. Since $G$ is cyclic, there exists a unique integer $a$ with $0 \leq a < N$ such that $h = g^a$. The integer $a$ is called the *discrete logarithm* of $h$ to the base $g$.

This is called the *discrete logarithm problem* [DLP] in the group $G$. No efficient method is known for computing discrete logarithms in a general group. Indeed, the security of several important algorithms in public-key cryptography is based on the assumption that the discrete logarithm problem in well-chosen groups has no efficient solution.

For the group $G = (\Z/p\Z)^*$, Sage has a discrete logarithm function: given $h \bmod p$ and a primitive root $g$ modulo $p$, `h.log(g)` computes the discrete logarithm of $h$ to the base $g$. Here is an example:

In [None]:
p = 101
R = Integers(p)
g = R(primitive_root(p))  # a generator of the group
h = R(67)
h.log(g)

In [None]:
g^81 ==  h # we check that the solution works

And a larger example:

In [None]:
p = 10^37+43
p.is_prime()

In [None]:
R = Integers(p)
g = R(2)
g.is_primitive_root()

In [None]:
%time R(17).log(g)

In this exercise, we will not use this Sage function. Instead, we will first look at a very naive approach for the discrete logarithm problem and then study the Pohlig–Hellman method which reduces the problem to the case when the order $N$ of the group is a prime power.

1\. For later use, we need a function which takes an integer `N` as input and outputs the list of factors $[\ell_1^{e_1},\ldots,\ell_n^{e_n}]$ of its unique prime factorization $N = \prod_{i=1}^n \ell_i^{e_i}$. Write a Sage function `prime_power_factors` which does this. You may use the following code as a source of inspiration:

In [None]:
60.factor()

In [None]:
list(60.factor())

In [None]:
L = list(60.factor())
L[0]

2\. The DLP can be solved in a group $G$ naively by brute force: compute $g^1,g^2,...$ until getting $h$. The number of iterations is at most the order $N$ of the group, which makes this method very impractical when $N$ has a large number of digits.

Do it in Sage: write a function `naive_dlp` which takes as input a generator `g` of `G` and an element `h` of `G`, and outputs the discrete logarithm of `h` to the base `g`. Try it on several examples with $G = (\Z/p\Z)^*$, including for large values of the prime $p$. Remember that the `primitive_root` function computes a generator of $(\Z/p\Z)^*$.

3\. *Pohlig–Hellman method* reduces the DLP problem to groups of order a prime power. We will now have a look at this method.

a) The method relies first on the following statement (if $g$ is an element of $G$, the subgroup generated by $g$ is denoted by $\langle g \rangle$).

**Lemma**.  Let $N$ be the order of the element $g$. Suppose that there exists a prime number $\ell$ and an integer $e\geq 1$ such that $\ell^e \mid N$. The map $\Phi_{\ell^e} : \langle g \rangle \to \langle g \rangle$ defined by $g \mapsto g^{N/\ell^e}$ is a group homomorphism to the unique cyclic subgroup of $\langle g \rangle$ of order $\ell^e$.

Prove this lemma.

b) Now let $G$ be a cyclic group of order $N$ with $N = \prod_{i=1}^n {\ell_i}^{e_i}$ its unique prime factorization. Let $g$ be a generator of $G$ and $h\in G$. We consider the following method:

**Step 1.** For any $i \in \{1,\ldots,n\}$, compute the discrete logarithm in the cyclic group $\langle g^{N/\ell_i^{e_i}} \rangle$ for the element $h^{N/\ell_i^{e_i}}$ to the base $g^{N/\ell_i^{e_i}}$. The solution is called $a_i$ and it satisfies $0 \leq a_i < \ell_i^{e_i}$.

**Step 2.** Apply the Chinese remainder theorem to $(a_1,\ldots,a_n)$ modulo $(\ell_1^{e_1},\ldots,\ell_n^{e_n})$: there is a unique solution $a$ with $0 \leq a < N$.

**Conclusion.** $a$ is the discrete logarithm of $h$ to the base $g$.

Using the lemma, prove the conclusion.

c) Write a Sage program `ph_dlp` which takes as input the order `N` of the group $G$, a generator `g` of $G$ and an element `h` of `G`, and output the discrete logarithm of `h` to the base `g` computed by this method. To solve the DLP in groups of order a prime power, you can use your previous `naive_dlp` function. To compute a solution to the  Chinese remainder theorem, you may use the `crt` function.

Try it on several examples with $G = (\Z/p\Z)^*$, including for large values of the prime number $p$. Compare its speed to the `naive_dlp` method.